An Israeli security firm will expose a flaw common to thousands of iPhone and iPad applications, which allows miscreants to hijack software using persistent man-in-the-middle attacks.
"We identified a very large number of applications that are vulnerable to this problem," Skycure's CTO Yair Amit told The Register. The …

COMMENTS

I don't think the issue here is the HTTP redirect. The issue is trusting WiFi networks you meet in the wild since for this attack to be successful (as described in the article), the network needs to be compromised/owned by the attackers with either a gateway/proxy or some DNS hijacking to redirect the HTTP requests.

I always VPN my phone traffic through my home network, anyone (esp. tech types) who trust 3rd party apps to only transmit auth tokens securely has a lot more faith in the developers than I do.

I'm curious to know if the Apache HTTP client used on Android blindly follows redirects as default, you can setup handlers to intercept and verify the redirect, but I'm not sure on default behaviour.

I think the moral of this story is don't trust any network that's not yours, and even then, exercise caution.

"Flaw in application coding"

It doesn't sound like this is something that iOS could be changed to prevent, nor that there is anything that limits the bug to iOS versus any other OS under the sun. If they warned Apple so that Apple could (hopefully) notify its developers, what about Android or Windows developers? It doesn't matter what OS it is designed to run on, a MITM HTTP redirect can affect any app. I hope they aren't going to leave all the developers who don't have iOS versions hanging out to dry, then claim they are being "responsible" about the disclosure.

Or does iOS provide a particular API for an HTTP query that silently accepts an HTTP redirect, while the API in other OSes returns an error message and expects the application to handle it to try the redirect address? If that's the case, while it isn't technically a flaw in iOS, it is something that iOS might want to change to make it more difficult for poorly coded applications to fall victim to this.

What am I missing?

Re: What am I missing?

Re: What am I missing?

Yes, but HTTPS requires a valid certificate, for which you have to pay for. Thereby I guess many applications just use plain HTTP - and that's vulnerable to many different kind of attacks if you can play MTM.

Re: What am I missing?

That is not news

301 response has ALWAYS been vunerable to man in the middle attacks and not just on IOS devices.

This is not news. It's a shallow attempt by a CTO of some security research firm that no-one has ever heard of to get free media coverage by scare mongering a user base that doesn't have the technical knowledge to understand all the big words.

Whats next? Shock! Horror!!

Other people can read your USB stick if you let them borrow it says CTO of USB encryption software company.

As much as I hate Crapple...

...and everything and everyone with any hint of association to them such as owning any of their products...

...this is not their fault or anything to do with the platform. This is HTTP and this is not a "vulnerability" in any specific application. Why would i need to 301 the original request anyway - if I have already Man-in-Middled you then there are far more effective things I can do.

@Heyrick, @Happy Ranter, @AC "What am I missing"

AC: your question is "Surely if you can inject a 301 in the response, you can manipulate the rest of the response anyway?"

Sure, but a 301 makes it permanent. Your MITM may be temporary, but you are making a permanent change to the app now.

(heyrick: same...)

Happy Ranter: regardless of what their motivations are, the fact is that an *app* (as opposed to a real browser, even on a mobile device) does not have a URL bar, so the minimum protection we normally have when we get a 301 -- the fact that we can *see* the new URL in the bar -- does not exist here.